March 22, 2024
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]
Rewterz Threat Update – Windows Utility Regsvr32 Targeted by Cybercriminals – Active IOCs
February 10, 2022
Rewterz Threat Advisory – ICS: Multiple Siemens SIMATIC Vulnerabilities
February 11, 2022
Rewterz Threat Update – Windows Utility Regsvr32 Targeted by Cybercriminals – Active IOCs
February 10, 2022
Rewterz Threat Advisory – ICS: Multiple Siemens SIMATIC Vulnerabilities
February 11, 2022
Severity
High
Analysis Summary
Linux environments are considered safer and more secure than windows environments. For the accessibility and security reasons, cloud services, container-based infrastructure, and Virtual Machines (VMs) are developed in Linux environments. Considering this, threat actors have started targeting Linux vulnerabilities and with sophisticated malware. As predicted by Rewterz Threat Intel Report, Ransomware has increased exponentially this year (although it just the Q1 of 2022). Ransomware groups are targeting Linux hosts to infect virtual-machine containers or images. Cobalt Strike, is a legitimate Pen test (penetration testing) toolkit that deploys “beacons” on infected devices to perform malicious behaviors. It is commonly used in ransomware attacks. The tool has become a way to manage compromised machines. So much so that Linux based versions of the tool which are protocol-compatible versions have been developed and deployed.
“Most research has been focused on the Windows side, but we are now seeing an increase in attacks on the Linux side and especially against multicloud infrastructure,” Threat Analyst from VMware says. “Most of the cases we see involve misconfiguration at the hypervisor level or, at the server level, shared accounts, shared passwords, and poorly configured role-based access controls.”
“The main attack surface area is still stolen credentials, which has the advantage that it takes a longer time to understand that a compromise has happened,” he says. “The login could seem absolutely normal and an attacker gets access to resources, but it’s not until things start going in the wrong direction that the breach is actually identified.”
Impact
- Exposure of Sensitive Data
- Remote Code Execution
- Gain Access
- Cyber Espionage
- Data Theft
Indicators of Compromise
URL
- http[:]//foxofeli[.]com[:]443/template[.]css
- https[:]//foxofeli[.]com/template[.]css
- https[:]//theshuaianow[.]xyz/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
- https[:]//dev[.]cubic-transportation[.]com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
- https[:]//168[.]61[.]180[.]98/updates[.]rss
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Search for IOCs in your environment.